Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 6
Registered: ‎06-12-2016
Kudos: 1
Solutions: 1
Accepted Solution

limit external access to docker

what is the best way to limit just certain IP access to the docker image? 

 

I have tried to play with iptables on the ubuntu host and I have no joy on it

 

Chain INPUT (policy ACCEPT)

target     prot opt source               destination         

DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22

DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

 

Chain FORWARD (policy DROP)

target     prot opt source               destination         

DOCKER-USER  all  --  0.0.0.0/0            0.0.0.0/0           

DOCKER-ISOLATION  all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

DOCKER     all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

 

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

 

Chain DOCKER (2 references)

target     prot opt source               destination         

ACCEPT     tcp  --  0.0.0.0/0            172.19.0.2           tcp dpt:24224

ACCEPT     tcp  --  0.0.0.0/0            172.19.0.3           tcp dpt:8443

ACCEPT     tcp  --  0.0.0.0/0            172.19.0.3           tcp dpt:8080

DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

 

Chain DOCKER-ISOLATION (1 references)

target     prot opt source               destination         

DROP       all  --  0.0.0.0/0            0.0.0.0/0           

DROP       all  --  0.0.0.0/0            0.0.0.0/0           

DROP       all  -- !172.18.0.0/16        0.0.0.0/0           

DROP       all  --  0.0.0.0/0           !172.18.0.0/16       

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

 

Chain DOCKER-USER (1 references)

target     prot opt source               destination         

RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443


Accepted Solutions
New Member
Posts: 6
Registered: ‎06-12-2016
Kudos: 1
Solutions: 1

Re: limit external access to docker

to answer to my own questions , and yes for those who answered were right

https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communi...


Docker’s forward rules permit all external source IPs by default. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, to restrict external access such that only source IP 8.8.8.8 can access the containers, the following rule could be added:

$ iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
where ext_if is the name of the interface providing external connectivity to the host.


So basically just need that rules in place and ext_if is eth0 in my case.

View solution in original post


All Replies
Ubiquiti Employee
Posts: 316
Registered: ‎01-26-2017
Kudos: 82
Solutions: 32

Re: limit external access to docker

The docker container is not accessible to the outside world at all, but there are specific ports mapped to the host and accessible via the host's address. You can type docker ps to see how the ports are mapped.

 

This means that you need to limit access to certain ports on the host, not specifically to the docker container. This page explains how to do it using either iptables, or ufw:

https://askubuntu.com/questions/615343/allow-ubuntu-server-access-only-from-specific-ips

New Member
Posts: 6
Registered: ‎06-12-2016
Kudos: 1
Solutions: 1

Re: limit external access to docker

Thanks Jaro,

 

What I mean was the overall access to UNMS via internet, as it is not possible to control it via iptables any more (maybe it was the way I put the rules ?)

 

All I need to do is control only a handful of client IP addresses can gain access to UNMS for management - is it possible?

Member
Posts: 141
Registered: ‎10-26-2015
Kudos: 39
Solutions: 5

Re: limit external access to docker

Drop traffic to 80/443, or whatever ports you're using, on the public facing IP address of your server from all sources except the ones you want, it's got nothing to do with docker if you went with their install script, it's plain old iptables.

New Member
Posts: 6
Registered: ‎06-12-2016
Kudos: 1
Solutions: 1

Re: limit external access to docker

to answer to my own questions , and yes for those who answered were right

https://docs.docker.com/engine/userguide/networking/default_network/container-communication/#communi...


Docker’s forward rules permit all external source IPs by default. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, to restrict external access such that only source IP 8.8.8.8 can access the containers, the following rule could be added:

$ iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
where ext_if is the name of the interface providing external connectivity to the host.


So basically just need that rules in place and ext_if is eth0 in my case.

Reply